I'm not sure, Tom, what trouble you were actually having, because I can't always just look at a configuration file and figure out what may be going wrong.
For me, I find it easiest to log every filter rule, pass or block, as a matter of course. I then use tcpdump(8) to confirm which rule is applicable to the packets of interest.
You probably already know it, but just in case:
- For any packet, the last matching rule in the file applies.
However, if a rule is "quick", a matching packet immediately stops all further tests, and the rule is applied. I avoid "quick" rules, to avoid confusing myself.